Check Point’s latest Global Threat Index has revealed that banking trojans were extensively used by cyber-criminals during August with three main variants appearing in the top 10.

The Zeus, Ramnit and Trickbot banking trojans all appeared in the top ten. The Trojans work by identifying when the victim is visiting a banking website, and then utilizes keylogging or webinjects to harvest basic login credentials or more sensitive information such as PIN numbers. Another popular method used by tojans is re-directing victims to fake banking websites, designed to mimic legitimate ones and steal credentials that way.

The Index also revealed that Globe Imposter, a ransomware disguised as a variant of the Globe ransomware, was the world’s second most prevalent malware in August. Though it was discovered in May 2017, the malware did not begin to rapidly proliferate until August, distributed by spam campaigns, malvertising and exploit kits. Upon encryption, Globe Imposter appends the .crypt extension to each encrypted file, and a payment is demanded from victims in return for decrypting their valuable data.

The driving factor behind a majority of cybercrime is the financial gain. Witnessing both a highly effective ransomware variant and a range of banking Trojans in the top ten malware families, underlines how tenacious and sophisticated malicious hackers continue to be in their attempts to extort money.

Trend of banking trojans activity in recent months

Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.
RoughTed remained the top malware in August, although its global impact decreased from 18% to under 12% of organizations worldwide. Global Imposter in second place had a global impact of 6% and Hacker Defender in third place with 4% global impact.

1. ↔ RoughTed – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
2. ↑ Globe Imposter – Ransomware disguised as a variant of the Globe ransomware. It was discovered in May 2017, and is distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.
3. ↓ Hacker Defender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
4. ↓ Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
5. ↔ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
6. ↑ Pushdo – Trojan used to infect a system and then download the Cutwail spam module and can also be used to install additional third party malware.
7. ↔ Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
8. ↑ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
9. ↑ Rig ek – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
10. ↑ Trickbot – Banking Trojan which is a Dyre variant and emerged in October 2016. Trickbot can pull web-injection instructions from its C&C servers online when victims try to reach a website, in contrast to most banking Trojans who update their configurations periodically.

Hummingbad, which appeared in the top ten every month for the first half of 2017 excluding July, did not make a re-appearance. The most popular malware used to attack organizations’ mobile estates shifted in August, with Triada moving up from third place, followed by Hiddad and Gooligan:

Top 3 ‘Most Wanted’ mobile malware:
1. Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, which helps the malware become embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
2. Hiddad – Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
3. Gooligan – Android malware capable of rooting devices and stealing email addresses and authentication tokens stored on the device.

These results illustrate how diverse and dynamic the cyber threat landscape is. Just a few months ago, Hummingbad was incredibly dominant, but in August did not even appear in the top ten. Similarly, ransomware has been grabbing most of the cybersecurity headlines, yet well-established banking Trojans are on the rise again. It’s vital for organizations to be alert to these shifting threats and simultaneously keep their defenses up against well-known malware families, and at the same time remain alert to new variants and new zero-day threats. This requires a multi-layered cybersecurity strategy able to respond to a broad range of continually evolving attack types. Solutions like our SandBlast™ Zero-Day Protection and Mobile Threat Prevention aren’t luxuries or optional extras – they are essential protection in a continually evolving threat landscape.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.